
Global Privacy Policy 
FAQs 


Introduction 

The following FAQs provide employees with a general understanding and best practices for applying the 
privacy principles in the Global Privacy Policy. These apply to all situations where you come into contact 
with personal data in the course of performing your employment duties at FedEx. 

Additional requirements may apply to the use of personal data within a specific job function. Should 
you have any questions about your obligations, please contact the Global Data Privacy Office at 

dataprivacy@fedex.com . 


Privacy Principles 

1. Fair and Lawful. When Processing Personal Data, 
the rights of the individual related to their Personal Data 
must be protected. Personal Data must be collected and 
Processed fairly and lawfully. 

Are you Processing the Personal Data fairly and 
lawfully? 

The main purpose of this principle is to be "fair" and 
protect the interests of the individuals whose Personal 
Data is being Processed. You should be open about 
developments, practices and policies with respect to 
Personal Data. If over time, there are new ways to use 
Personal Data, perhaps because of changes in technology, 
you may be able to use previously collected Personal Data 
for the new purpose if it is fair and lawful to do so. 

In practice, you should: 

• have legitimate grounds for collecting and using the 
Personal Data; 

• be transparent about how you intend to use the data, 
and give individuals appropriate privacy notices when 
collecting their Personal Data; 

• handle people's Personal Data only in ways they would 
reasonably expect; 

• make sure you do not do anything unlawful with the 
data; and 

• not use their information in ways that unjustifiably has 
a negative effect on them. 

2. Purpose Specification. Personal Data can be used 

or Processed only for the purpose defined at the time of 
collection and shall not be further used or Processed in any 
manner incompatible with that purpose. Personal Data may 
not be collected and stored for potential future use unless 
allowed by local law. 


Definitions 

What is "Personal Data"? 

Personal data is any information that 
can directly or indirectly be used to 
identify a natural person, whether 
that individual is an employee, a 
customer or employee of a customer, 
a vendor or employee of a vendor, a 
job applicant or any other third party. 
Examples of personal data include, 
names, identification numbers, email 
addresses, individual phone numbers, 
photos, IP addresses, device ID, etc. 

In most cases, information about a 
business (company name, general 
phone number) is not personal data. 

What is "Processing"? 

Processing means any operation 
performed on Personal Data, including 
collection, storage, access, review, 
transfer, copying, deletion or any other 
handling of the data. Examples include 
collecting customer information for 
FedEx records, accessing Workday 
records of an employee or transferring 
files with customer or employee 
information to a vendor. 
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What are you trying to achieve by collecting the Personal Data? 


Specify the reason or reasons for which you are collecting Personal Data. Anything you do with the data must be 
compatible with this purpose. 

In practice, you should: 

• be clear from the outset about why we are collecting Personal Data and what we intend to do with it; 

• give proper privacy notices to individuals when collecting their Personal Data; and 

• ensure that if we wish to use or disclose the Personal Data for any purpose that is additional to or different from the 
originally specified purpose, the new use or disclosure is fair. 

If you wish to use or disclose Personal Data for a purpose that was not contemplated at the time of collection (and 
therefore not specified in a privacy notice), you have to consider whether this will be fair. If using or disclosing the 
information would be unfair because it would be outside what the individual concerned would reasonably expect, or would 
have an unjustified adverse effect on them, then you should regard the use or disclosure as incompatible with the purpose 
you obtained the information for. Because it can be difficult to distinguish clearly between purposes that are compatible 
and those that are not, focus on whether the intended use of the information meets the fair Processing requirements set 
out above. 


3. Collection Limitation. FedExonly collects Personal Data necessary to 
meet the specified purpose at the time of collection and only to the extent 
allowed by local law. 

Are you collecting the minimum amount of information necessary to 
achieve the purpose specified? 

You should identify the minimum amount of Personal Data you need to properly 
fulfill your purpose, and only collect that amount of Personal Data. You should 
not hold additional Personal Data on the off-chance that it might be useful in 
the future. 

In practice, you should: 

• hold Personal Data about an individual that is sufficient for the purpose you 
are holding it for; and 

• not hold more information than you need for that purpose. For example, if 
you only need contact information to deliver a package, do not also collect 
any additional information, such as a customer's occupation, age or gender. 


4. Deletion. Personal Data no longer needed for the purpose specified at the 
time of collection shall be deleted according to applicable retention schedules 
unless it is subject to an exception from the Legal Department. 



Are you only keeping the data for as long as necessary for the purpose specified? 


Personal Data Processed for any purpose or purposes should not be kept for longer than is necessary for that purpose 
or those purposes. Consult your operating company's applicable retention policies and schedules for guidance. 


In practice, you should: 

• refer to the retention schedules; 

• review the length of time you keep Personal Data; 

• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain the 
Personal Data; 

• securely delete information that is no longer needed; and 

• update, archive or securely delete information if it goes out of date. 
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5. Data Quality. Personal Data should be accurate, and if necessary, kept up 
to date. 

Are you taking steps to ensure the data is accurate? 

It is in everyone's interest to have accurate data. If you are using your own 
resources to compile Personal Data about an individual, then you must make 
sure the information is correct. 

In practice, you should: 

• take reasonable steps to ensure the accuracy of any Personal Data you 
obtain (e.g., inviting data subjects to update their contact details); 

• identify the source of any Personal Data; 

• carefully consider any challenges to the accuracy of data; and 

• consider whether it is necessary to update the information. 

It may be impractical to check the accuracy of Personal Data someone else 
provides. In recognition of this, if you are holding inaccurate Personal Data, 
you will not be considered to have breached this principle as long as: 

• you have accurately recorded information provided by the individual 
concerned or a third party; 

• you have taken reasonable steps in the circumstances to ensure the 
accuracy of the information; and 

• if the individual has challenged the accuracy of the information, this is clear 
to those Processing it. 



6. Security Safeguards. Personal Data must be protected using technical, managerial and physical security measures 
against risk of loss, unauthorized access, destruction, use modification or disclosure. 

Are you foiiowing the infoSec standards? 

You must follow the InfoSec standards to ensure we have appropriate security measures to prevent Personal Data from 
being accidentally or deliberately compromised. 

In practice, you should: 

• follow the InfoSec standards [keyword: "standards”]; 

• be clear about who in your organization is responsible for ensuring information security; 

• make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, 
well-trained staff; and 

• notify InfoSec of any breach of security [keyword: "incident"]. 


7. Transparency. Individuals must be notified at the time of collection how their Personal Data is being used or Processed. 
They must be aware of who is collecting the Personal Data, the purpose for the Processing of the Personal Data and if third 
parties will Process the Personal Data, that adequate safeguards are in place. All such notices must be approved by the 
Legal Department. 

Are you being dear and open about how we coiiect and use Personal Data? 

It's important for individuals to know at the outset how their information will be used so they can make an informed 
decision. You must provide information about why and how we collect and use their information. 

In practice, you should: 

• be open and honest about our identity; and 

• tell people what we are collecting, how we intend to use any Personal Data we collect about them, the type of entities 
that will receive their data and any other information necessary to ensure that the Processing is performed fairly. 
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8. Individual Participation. To the extent required by local law, individuals 
have a right to access their Personal Data and where appropriate, to correct or 
delete it and exercise any other right provided by local law. 

Depending on the law that applies, rights can include the following: 

• a right of access to a copy of the information comprised in their Personal Data; 

• a right to object to Processing on grounds relating to his or her particular 
situation; 

• a right to prevent use of their Personal Data for direct marketing; 

• a right to object to decisions being taken by FedEx made by automated means 
(without human involvement); 

• a right in certain circumstances to have inaccurate Personal Data rectified, 
blocked, erased or destroyed; 

• a right to file a complaint with the national data protection authority; and 

• a right to claim compensation for damages caused by a breach of law. 



In practice, you should: 

• immediately forward a privacy-related request to the Global Privacy Office at dataprivacy@fedex.com : 

• timely and adequately follow any instructions provided by the Global Privacy Office or Legal Department in relation 

to the request of the individual, for instance to provide specific information regarding the individual or to amend certain 
information; and 

• never respond to a privacy-related request without first contacting the Global Privacy Office or the Legal Department 
and receiving instruction. 


Leave Requests Containing Special Categories of Personal Data 

Does the Global Chief Compliance and Governance Officer ("GCCGO") or the Global Privacy Office need to 
approve leave requests? 

Some leave requests may require you to Process special categories of Personal Data (e.g., health information). Your 
local Human Resources or Legal Departments can approve these requests without the approval of the GCCGO or 
Global Privacy Office. 

For any questions or if you are uncertain about how to comply with any of these principles, please reach out to the 
Global Privacy Office at dataprivacy@fedex.com . 
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